Courtesy of Nordic Semiconductor : Wireless smart lock makers react to security scares
An avalanche of media reports has highlighted potential vulnerabilities in Bluetooth Low Energy wireless technology’s connections. Is the attention warranted?
We’ve all seen them, scare-tactic headlines that have popped up on online searches since the smart home shifted from gimmick towards mainstream. “If you use smart Bluetooth locks, you’re asking to be burgled”, or, “Have a smart lock? Yeah, it can probably be hacked”, are two examples amongst many, and it is creating the perfect contradiction in growth projections for the smart lock market.
According to analyst Credence Research, the global smart lock market is predicted to be worth $3.5 billion by 2025, as consumers are eager to invest in home automation systems because of increased security concerns for their family and property. At the same time, Credence Research says, a significant factor restraining market growth is also security, and the fear these solutions are vulnerable to hacking. Secure if we do, secure if we don’t – which is it?
No vendor of a Bluetooth Low Energy (Bluetooth LE) smart lock can guarantee its solution is 100 percent secure or ‘unhackable’, but this is not distinct to smart lock manufacturers. No vendor of any online- or wirelessly-networked solution can make that promise, at least not in good faith. But not all Bluetooth LE hardware and software is created equal, and get your Bluetooth LE protocol implementation right and chances of a security breach reduce dramatically. Any potential hackers will hopefully move on to easier targets.
“While it’s true that no network can ever be 100 percent secure, it’s still possible to reach a level of security where the time and effort to break it is greater than the reward,” says Pål Kastnes, Technical Marketing Manager with Nordic Semiconductor. “To achieve this, security must be factored into product development from the beginning. Developers can use the secure protocols baked into Bluetooth to create simple, secure IoT devices, but just as a door is only secure if you remember to lock it, Bluetooth is only secure if you implement its in-built security features properly.”
The two principal hacking risks for Bluetooth LE smart locks are so called ‘passive eavesdropper’ and ‘man-in-the-middle’ (MITM) attacks. A passive eavesdropper will passively record all the communication in the key exchange phase, and can then process these packets after the fact. If the hacker is successful in decrypting the key exchange packets, then the security key will be available. In MITM attacks, the hacker acts as a middle man between the smart lock and the user’s smartphone or tablet, impersonating each endpoint and compromising the data being exchanged between the two.
These threats are highest during the commissioning process, when the Bluetooth LE lock is paired with the user’s smartphone or tablet, and one of the primary commissioning challenges is how to exchange security keys in a safe manner. Strong authentication and encryption is essential, as is the need for it to remain secure throughout its lifecycle, including the ability to be updated securely if any problems come to light post-launch.
The most common way to avoid passive eavesdropper attacks is to use an asymmetric encryption scheme to exchange the security keys. In such a system each node in the link will generate a public/private key pair and send its public key to the peer node. The peer can then encrypt its security information using the public key, and only the private key can be used to decrypt this information. To avoid MITM attacks, systems authenticate the link over a separate (Out-of-Band or “OOB”) data channel.
Unfortunately, as smart lock developers have scrambled to rapidly release Bluetooth LE-based security solutions to take advantage of increasing consumer interest and adoption, appropriate implementation of the Bluetooth LE protocol has often taken a back seat, leaving some solutions vulnerable to hacking attempts. And as one Bluetooth LE safe lock manufacturer discovered, made worse by their lock’s inability to perform over-the-air device firmware updates (OTA-DFU), preventing remedial patching.
Nordic Semiconductor’s nRF52 Series System-on-Chips (SoCs) provide developers with a number of security features that with the appropriate implementation, should ensure hackers will go in search of easier victims. As one smart lock manufacturer is now painfully aware, the ability to perform software and firmware updates is an absolute necessity. All nRF52 Series SoCs support OTA-DFU, using secure signatures to authenticate that only updates coming from a verified and trusted source can be made on a given device.
The Advanced Encryption Standard (AES) offers strong protection, especially at the embedded level, but does place demands on the chip’s processing power and memory. All nRF52 Series SoCs have both a powerful Arm processor and ample Flash memory and RAM to handle the demands of AES, and simultaneously support challenging, processor-intensive applications.
For additional security, the nRF52832 and nRF52840 SoCs also offer an on-chip Near Field Communication (NFC)-A tag, enabling OOB pairing and simplifying the process of authenticated pairing between two Bluetooth devices by exchanging authentication information over an NFC link. The short range of an NFC connection makes it much harder for signals to be intercepted by a hacker. The other advantage of NFC is that the user doesn’t have to manually enter or verify a passkey, which simplifies the commissioning process.
For developers with applications requiring best-in-class hardware and software security, the nRF5240 SoC also incorporates an Arm TrustZone Cryptocell-310 cryptographic co-processor, providing cryptographic functions and incorporating a true random number generator (TRNG), as well as support for a wide range of asymmetric, symmetric, and hashing cryptographic services.
It is these features—alongside heightened awareness of the need for uncompromising security in Internet of Things (IoT) applications—that has seen Nordic SoCs increasingly specified in Bluetooth LE security applications.
Late last year Danish smart home IoT company, Poly-Control Aps, launched its ‘Danalock V3’ smart lock that can be retrofitted to a manual door lock to provide a complete door entry and security solution. The Bluetooth LE smart lock eliminates the need to carry door keys or replace a door lock when keys are lost or stolen, and users can configure and control the smart lock via the smartphone companion app.
While the Nordic nRF52832 SoC enables the Bluetooth LE connectivity required to wirelessly control, share, and monitor the door lock, security was an equally important consideration. As Hans Overgaard, Poly-Control Co-founder and CEO, explains: “AES-256 encryption makes Danalock much safer, it is nearly impossible to hack.”
U.S.-based Nokē is another smart lock designer and manufacturer that has worked with Nordic for a number of years, migrating from the nRF51 Series to the nRF52832 SoC and its advanced, in-built security functionality.
Nokē recently unveiled its ‘Nokē Pro’ enterprise software solution, allowing businesses to remotely operate potentially thousands of Bluetooth LE locks via a smartphone app or desktop web portal.
In addition to supervising Nordic’s Bluetooth 5-certifed RF software protocol stack, the nRF52832 SoC’s Arm M4F processor has ample power to run Nokē’s decentralized radio communications protocol, and bidirectional self-optimizing mesh networking software. The mesh software enables remote opening and key changes for Nokē locks, as well as enabling lock activity and alarm notifications to be sent to the Cloud.
“We selected the nRF52832 SoC because it can control everything,” says David Gengler, Nokē Founder and CEO. “It is easy to work with, the Software Development Kit and documentation is solid, and it works well with our mesh protocol.”
The security scare headlines will no doubt continue, but not every Bluetooth LE lock is created equal. It may be true that no smart lock can be 100 percent secure, but it’s also true that a poorly implemented and commissioned Bluetooth LE lock will always be more vulnerable to hacking than one that has implemented end-to-end security appropriately and effectively.
Nordic’s Bluetooth LE SoftDevices (RF protocols), tested and re-tested under the most challenging conditions, and complemented by powerful nRF52 Series hardware, are among the most secure in the business.